Contents

Introduction

The goal of this project is to provide an easy-to-use authentication system which doesn't require a password. This comes in handy at the barputer (touch-based input), or other services not related to core management. The system should be easy to use, easy to implement, provide fair enough protection, and shouldn't require special tools or hardware.

Possible ideas

There were a few ideas, and this should be a summary of them. If the summary becomes too long, create a page/project for it.

Challenge/Response auth

Pros

Easy to implement

Requires no central auth server (but can be used, if required - for barputer accounting)

Requires no hardware, but hardware is recommended: the algorithm Yvanj developed is easy, and doable by hand on a sheet of paper (it's designed with calculatable by hand in mind)

Cons

Not super secure: once the algorytm has been found, and the parameters, challenges/responses are easily faked. Should only be used on places where authentication is a benefit, but not a requirement.

Though the algo is easy, calculating by hard requires some time. Better not start with the current time if it's 14:50.

You would need to have the hardware with you at the barputer (same problem as paying cash: you don't always have your wallet with you at the bar).

People who buy a drink, want a drink, not a math project.

Other details

Requires username (is used in the calculation)

challenge/response

responses revoke itself by time. (should be a little less obvious how the time is processed, to prevent forging new tokens from existing ones easily - needs rethinking if this is an issue)

doesn't require central storage for validation of codes (but is possible to add an extra layer of security, or to store data associated with the user which must be accessible by other apps/services)

Sample implementation

I worked out a sample implementation of this system:

first draft (2011-09-18) C#, compilable and runnable under Mono+.net .

Barcode auth

Pros

Easy to use

More secure than challenge/response authentication

easy to transport/take with you

Cons

Requires special hardware (barcode reader)

Cards are easily forgotten at home, train/bus/tram, and knowing your barcode number by hard is not manageable for all people.

You have to have your card with you at the barputer to be able to identify yourself. So this would leave us with the same problem as people paing cash: sometimes your wallet is still in another room.

We have to find something to put on the barcode.

Once someone knows what's on your barcode, he can identify himself as you.